Blog

Double Thanks, with Two Factor Authentication

While Americans were feasting on turkey and stuffing yesterday*, Francesco was back in Italy putting the final touches on the next release: Two Factor Authentication.

This is a first roll-out using a  one time code which will be sent to you via email during sign in to your Passpack account. You can choose the email you’d like to receive the code at, and whether or not you’d like it to be required all the time, or (my favorite) only when your Welcome Message is inactive.

This feature is completely optional. To set up a second factor of authentication, choose Two Factor Authentication from your Settings menu.

Two Step Login AND Two Factor Authentication

Passpack uses a two-step login. First step, the user has to be recognized – with User ID and Password or via a 3rd Party (Yahoo, Facebook, Twitter, etc.), second step is our famous Packing Key.

Most of you know that your Packing Key is known only to you and decrypts your data directly in the browser. But what some of you may not realize is that we also use it as an additional authentication step. This is because your data will only be released by the server to your browser if a hash of your Packing Key matches the one stored.

This approach is clearly safer than any other two-step approach. So, we have always been reluctant to add a “traditional” second factor of authentication. However, since there are a few users that periodically ask us for it, we decided to introduce some form of Two Factor Authentication.

We started with a simple one: a One Time Password (OTP) via email.

How to Set Up Two Factor Authentication

Go to the Settings tab and launch the command Two Factor Authentication. Passpack verifies the configuration and lists the available factors. Continue and, in the next screen, choose the email address where the OTP will sent. Also, you can choose to activate the second factor only when your Welcome Message doesn’t appear – for example, when you aren’t connected with your own PC.

In the next step Passpack will send you a test OTP to verify that you can receive it without issues (ex. excessive waiting time, anti-spam filters, etc.). Simply check your mailbox, copy the OTP from the message and paste it in the field to complete the process.

Please be aware that if you set this up, you must have access to your mailbox before logging into Passpack (don’t create a catch 22 folks!).

* Sorry, just HAD to get a reference to the turkey in here somehow [wink]

Issues with Help Ticket System

Today I discovered a strange issue with our ticket system. In the last two months, it randomly marked some tickets as “closed”. So we didn’t answer them because we didn’t know of them.

I had a look to the “false closed” tickets and I saw that the most of them were requests for deleting the account in order to restart with a brand new account. So I hope that the missing answer wasn’t so serious.

I have to admit that all my attention is always on Passpack that must be safe, perfect. So I neglected the management secondary applications as the help ticket system.

I sincerely apologize for this inconvenience. I have now fixed the technical problem. In the next few days we will try to put things right.

Google Friend Connect Support is Ready!

As you probably know, two days ago a user alerted us about an issue with the access via Google/Gmail procedure.

We temporarily sidestepped the problem avoiding the creation of new accounts via Google/Gmail, and immediately after this, started to work on the support of Google Friend Connect.

It was a bit complicated because Google Friend Connect doesn’t support SSL. We had to work around this limitation with some tricks in order to mantain the usual level of security, and without any nasty browser alerts.

Also, we added a notice for the users that usually access to Passpack via Google/Gmail. The message suggests you associate a new Google Friend Connect logon to your account instead of the old Google/Gmail logon.

The notice about Gmail

IMHO, the new signin via Google Friend Connect is faster and more comfortable then the old one. I hope that you enjoy it.

Now, I can get back to work on the new Passpack Desktop.

Changing the Google access to Passpack

This morning a smart user alerted me about a security issue in using Google/Gmail to access to the Passpack account.

I analyzed it and I discovered that Google has changed how Gmail authentication works, causing the library we use to fail. As result of this, we are preparing to support Google Friend Connect. In the meantime, it will not possible to create new accounts via Google or Gmail, but only to access to existing ones.

How the interface changes.

Instead of two fields, the Gmail address and the Password, you will only have one: the Gmail address. Please note that this will work only with existing accounts and it will not possible to create new accounts via Google/Gmail.

gmailaccess

And about security?

When you type your Gmail address, Passpack will check if it exists and that a Passpack account is associated to it. If so, you will be asked for your Packing Key. As you probably know, only if the hash of the Packing Key is correct you receive your encrypted data. So the first step is just a way to recognize who you say you are. The second, the request of the Packing Key, guarantees the security of the access. Also, if you didn’t set a Welcome Messsage, in order to safeguard your privacy, the welcome screen will show your Gmail email address without the “@gmail.com” suffix instead of your Passpack ID.

The next step.

Once the Google Friend Connect support is ready, you will be able to associate it to your account. UPDATE Google Friend Connect is ready. Please follow these instructions to associate it to your account. You should also remove the current Google/Gmail association as we will phase it out quickly.

Server Update: www2.passpack.com

Just a quick notice. We just ran a migration on a few of our servers. The updates are now complete, all went well.

Due to some DNS issues, you may temporarily be redirected to https://www2.passpack.com (notice the 2) we just wanted to let you know that this is OK. You may login and use your account as usual.

For good measure, if you were connected to Passpack prior to the updates, you might just want to logout and log back in again. If you run into any problems, please let us know. Thanks.

Service Announcement

Updating servers for the next 20 minutes. Service may be spotty or read only. If you can’t save changes, wait and try again later.

UPDATE: Complete. Thanks for your patience!

Features, Tricks, Fixes & Some Beta Tester Love

Happy Autumn! We sweat our way through the end-of summer heat and just rolled out a series of little fixes, features and tricks.

More Auto-login Improvements

We’ve managed to nearly complete the browsers compatibility list. After the last release, a few users were concerned that the Passpack popup was being blocked by NoScript. Francesco and Giorgio Maone had a quick phone call on how to possibly solve the issue. In implementing those changes, the side effect was a better browser compatibility. Alas, it still doesn’t work with NoScript. Here’s the list:

  • Firefox 3+ (maybe 2 as well… you tell us)
  • Explorer 6, 7 & 8 (IE6 is still quirky, but “works”)
  • Chrome 2+
  • Safari 4
  • Opera - Sorry, still working on compatibility.

We also incorporated bug fixes in and around the handling of 1 Click Login vs. Click Through from your account logging in. We’ll continue with even more improvements.

Email Single Entries – No Bulk Edit Required

Click on an entry and have a look in the lower left-hand corner for the “email this” link. You can now send an encrypted entry to any person with an email – not just the folks in your People tab. We first introduced this feature as a Bulk Edit option, and have now extended it to single entries as well.

Wait, passwords via email?! No, no. Of course not. The entry will be encrypted and set aside securely on our server. Then a notification will be sent to your friend’s email, something like this:

slide_clientEmail

Time Saving Trick

Want to quickly rename an entry? No need to open it up, just hold down “E” on your keyboard and click on the name in your list.

SP32-20090909-111249

Type away then press ENTER to commit the change, or ESC to cancel.

You can do the same with your tags as well.

Last But Not Least – Thank You Beta Testers!

My mother would have my head if she found out we released Auto-login 2.0 and haven’t yet thanked our beta testers (she’s actually on Facebook, so please no one tell on me [wink])! So without further ado, here they are in random order:

Thanks everyone! Also, to those of you who wrote into customer support to let us know the glitches you were running into – your help was very much appreciated. Please continue to keep us informed.

Greg Davis

Auto-login 2.0 Follow Up: Switch Versions

The Auto-login 2.0 release is going well so far. But we’ve found some special cases when you might prefer version 1.0. So we have added the option to switch between versions.
When Would This Be Useful?
First case. The new Passpack It! button works well on Firefox 3+. However certain plugins, for example NoScript, may cause it to fail. Auto-login 2.0 release uses iframes as a sandbox to avoid Cross-Site Scripting (XSS), yet NoScript blocks all code running in iframes. There’s no fix for this. So, if you are a Firefox-NoScript user, you will need to switch back to the older version. Other plugins or settings may cause similar problems.
Second case. On Chrome 2 and Safari 4, the new Passpack It! button works sometimes, but not always. For this reason, Auto-login 2.0 release is not activated by default. However, if you really want to, you could try the new version.
The option to switch is available under Auto-login > Install your button. Scroll down to the bottom of the page, and read the instruction. You can always reverse this action if you want.
Want To Help Test?
Naturally, if you would like to help us complete testing Auto-login 2.0 on browsers that we have not officially supported yet – use this option to force Auto-login 2.0 and let us know how it works.

The Auto-login 2.0 release is going well so far. But we’ve found some special cases when you might prefer version 1.0. So we have added the option to switch between versions.

When Would This Be Useful?

Example 1: The new Passpack It! button works well on Firefox 3+. However certain plugins, for example NoScript, may cause it to fail. Auto-login 2.0 release uses iframes as a sandbox to avoid Cross-Site Scripting (XSS), yet NoScript blocks all code running in iframes. There’s no fix for this. So, if you are a Firefox-NoScript user, you will need to switch back to the older version. Other plugins or settings may cause similar problems.

Example 2: On Chrome 2 and Safari 4, the new Passpack It! button works sometimes, but not always. For this reason the Auto-login 2.0 release was not activated by default. However, if you really want to, you could try the new version.

The option to switch is available under Auto-login > Install your button.  Scroll down to the bottom of the page and read the instructions. You can always reverse this action if you want.

Want To Help Test?

Naturally, if you would like to help us complete testing Auto-login 2.0 on browsers that we have not officially supported yet – use this option to force Auto-login 2.0 and let us know how it works.

Quick Tip

Passpack It! button tip: if you can’t train a site, double-click your button and use the Feedback tab. It’ll be queued for fixing.

Auto-login 2.0 Release: Let's Rock & Roll

We’ve added uber-improved 1 Click Login performance. Plus double click to get a full service pop-up menu: train websites, send feedback, copy/paste and(we really like this one) … add an entry to your Passpack account directly from any website.

Save Passwords to Passpack from anywhere on the web.

If you already have a Passpack account, you need to reinstall your button. Here’s how. Check the browser compatibility below (scroll down). If you run into any issues, please let us know.

So What’s It Do?

  • NEW – Double-click your button to get a full options pop-up
  • NEW – Add a passwords to Passpack from anywhere on the web
  • NEW – If all else fails, Copy/paste from the options pop-up
  • NEW – Find a broken link? Send feedback quickly from the options pop-up
  • Improved performance logging you into websites.
  • Multiple logins for one domain? No problem. Now has copy/paste too.
  • Improved training websites to login

This new release adds a few options and a ton of flexibility to the system. It was also an interesting battle to hop through all those crypto-hoops to make it work. Far too much for this post to cover, so I’ll go into more details in some follow-up posts. In the meantime you can go to Auto-login > Options for power users to play around.

Browser Compatibility

This is a first roll-out. We’ve got about 80% of our users covered.

  • Firefox - Versions 3+
  • Explorer- Versions 7 & 8. Explorer 6 is not supported.
  • Chrome - Version 3 supported (but don’t use it [wink]). Version 2 still working on compatibility… it’s oddly very buggy.
  • Safari - Still working on compatibility. The double-click on the button definitely won’t work, but there will be a work around for that.
  • Opera - Still working on compatibility.

If your browser isn’t compatible, you can continue to use your current button – it’ll work just fine.

Improved performance logging you into websites.